It’s not every day that a veteran chief information security officer (CISO) pens a book that blasts the mobile community for torpedoing enterprise security, so when I had a chance to read Barak Engel’s new book “Why CISOs Fail Security,” it seemed worthwhile. And it was.
The core argument in Engel’s book is that CISOs tend to not adequately think through mobile security, which results in them putting out seemingly secure systems that don’t work anywhere near as well as what was intended when deployed.
In one section of the book, he uses Starbucks as an example of well-intentioned mobile security gone bad. It involved how Starbucks demanded a password when adding funds to the Starbucks account. He writes:
“It’s about the need to enter your password. It is a classic example of an innocent, well-intentioned, security screwup. It’s easy to see when we think of it, not from a security controls perspective, but from a human behavioral perspective. When would you typically be attempting to reload your card? If you are like most people, it will be at exactly the least convenient time to do so—that is, while en-route to or in line (or more likely, trying to avoid the line) at the store, while on your phone.
“So now the app is asking you to enter your password at the least convenient moment, when you are most hurried in its use. It’s annoying to even have to think about it, but there it is. It’s important to protect our credit card, after all. So what is a loyal Starbucks customer to do? You know the answer already. You pick a simple password that’s easy for you to remember. And there it is. A well-intentioned security control that is divorced from situational human behavior has resulted in a weakening of the entire ecosystem of the Starbucks e-commerce platform—because, of course, that same password is also used to login to the main Starbucks Web site, where a lot more personal information and transactional capabilities about Starbucks customers are available to the enterprising collector of such curiosities.”
It’s not the worse security mistake Starbuck’s made — that would be it’s remarkable mobile password saved in the clear fiasco — but it is illustrative of the mobile security problems today. In short, CISOs need to think more carefully about how and where their apps are likely to be used.
How well do you pen test your mobile apps?
Another mobile concern Engel touched on is mobile app penetration testing. He writes:
“Here is a question with an alarmingly low yes-to-no ratio: did you give pen testers all your mobile apps, including your own testing APIs with all the commands that are not part of the commercial release, so that they could run it through a proxy like Burp Suite and try to break your API that way?”
Engel, elaborating in a phone interview, said he sees the biggest mobile app security issue being how pen testing is typically handled — particularly how security standards (including PCI) specify what must be done.
“The incentive is just to get a passing grade. It instead should require that (the pen testing) is appropriately robust enough for your situation,” Engel says. “There is no standardized testing that will work in the mobile app world that will really test the APIs. So, many pen tests today produce a no-findings result, also known as stealth mode. And they are not finding anything because those tests are testing for the wrong things.”
This is simply the latest example of studying for the test instead of truly trying to learn the subject. Far too many security teams opt for the least-intrusive test that the standards require, regardless of the value of the data being protected or the potential damage from a successful intrusion. As long as they can say they did what the standard required, they’re happy. And you wonder why we’re seeing a major breach roughly every week?
IoT security a concern
Engel also worries about IoT — he can join the rather large club — and he points to mobile security procedures as an example. He writes:
“In this new world of IoT, where devices are increasingly connected, where wearables are fast becoming reality, a strategy that aims to address security at the end points is delusional at best. You may be able to convince employees to let you manage their personal smart phone, or at least a container inside of them that contains company data, but even that is doubtful.”
Company employees see the phone as an extension of their personal lives. They worry far more about a colleague getting to their personal data than they do about protecting their employer’s intellectual property. And yet IT has no choice but to allow and to even encourage mobile communications with clients and with sensitive corporate systems. To do otherwise would put the company at a huge competitive disadvantage.
The theme of Engel’s book is that so much of mobile security (and even security that has little to do with mobile) can be sharply improved by an attitude adjustment. Consider the problem we just discussed about BYOD. What if the company policy stressed the severe punishments should anyone be caught even trying to access personal data? What if it outlined strong processes that would make such snooping extremely difficult?
Most such memos are tonedeaf. The memos talk about the importance of corporate data and that employees must protect it. But that’s not the employees’ concern. If you want cooperation, stress what the intended audience — your employees — are frightened about and what they want to hear.
And thinking about how your customers will honestly use the technology is not a bad second act.